Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 678091 - SSSD in 6.0 can not locate HBAC rules from FreeIPAv2
SSSD in 6.0 can not locate HBAC rules from FreeIPAv2
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.0
Unspecified Unspecified
urgent Severity urgent
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On:
Blocks: 678092
  Show dependency treegraph
 
Reported: 2011-02-16 12:20 EST by Stephen Gallagher
Modified: 2017-02-06 09:35 EST (History)
4 users (show)

See Also:
Fixed In Version: sssd-1.5.1-6.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 678092 (view as bug list)
Environment:
Last Closed: 2011-05-19 07:39:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0560 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2011-05-19 07:38:17 EDT

  None (edit)
Description Stephen Gallagher 2011-02-16 12:20:16 EST 
Description of problem:
SSSD shipped in 6.0 with the expectation that HBAC rules would be stored in the cn=account subtree of FreeIPAv2. However, the final version of the schema stores them in cn=hbac instead. So right now, there are no rules accepted (which means denial of all)

Version-Release number of selected component (if applicable):
sssd-1.2.1-28.el6_0.4

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA v2 server with one or more HBAC rules
2. Point an SSSD client at this server, with access_provider=ipa
  
Actual results:
User is always denied

Expected results:
Denial/permission should be based on the access control rules

Additional info:
Comment 4 Jenny Galipeau 2011-03-01 10:57:45 EST 
Verified

server
ipa-server-2.0.0-13.el6.x86_64

client:
ipa-client-2.0.0-13.el6.x86_64
sssd-1.5.1-10.el6.x86_64

[root@ipaqavmh ~]# ipa hbacrule-show testdenyssh
  Rule name: testdenyssh
  Rule type: deny
  Source host category: all
  Description: test deny
  Enabled: TRUE
  Users: mmouse
  Hosts: ipaqavmh.rhts.eng.bos.redhat.com
  Services: sshd


Mar  1 10:04:21 ipaqavmh sshd[13984]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=hp-dl180g6-01.rhts.eng.bos.redhat.com user=mmouse
Mar  1 10:04:21 ipaqavmh sshd[13984]: pam_sss(sshd:account): Access denied for
user mmouse: 6 (Permission denied
Comment 5 errata-xmlrpc 2011-05-19 07:39:47 EDT 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 6 errata-xmlrpc 2011-05-19 09:09:36 EDT 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.